I was reading some articles online about intel having some memory leaks that could potentially give malware access to kernel memory that contain things like your passwords. I fully understand a lot of these "articles" are just clickbait trying to work people into a frenzy to get views, but it got me wondering how do passwords work?

I know that might be a pretty sensitive topic, so I am not asking for information that would compromise anyones security, but I am interested to know how the process is handled. I know that my password has to be stored somewhere because the computer has to check my input against something. If that is the case though, how is it protected from hackers or nefarious programs from just snatching up my password from wherever it is stored?

If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help, and keeps the forum clean.
I am using Mint 18.3 Cinnamon 64 bit with AMD processor . Memory 8GB

The memory lookahead leak can only leak a limited amount of data at a time, depending on the processor model. If your password is short enough to leak, you could move to a longer password or a passphrase or two factor authentication.

For a virus attack, there are easier and more reliable ways to get your password. Phishing and other tricks are easier than virus attacks. The easiest approach is to wait until you sign up for Faceblab then every aspect of your identity will be on sale to everyone.

The key from a mildly-incorrect password is not even close to acceptable. Digest-sum functions are designed so that happens. It is very difficult, not quite impossible, to find an input password that generates a particular machine key. So even if you know what the machine-key is, by sniffing through the files of an inert machine, you can't feasibly reverse-engineer the password that generates that key and log in as that user.

Hash Algorithm When you sign up for an account on a site, you choose a username and a password. Usernames are usually stored in the site's database as plain old text. On the other hand, password was washed before it was stored

A hash function is a mathematical algorithm that will take any size data (such as a password) and will make it a part of the data appearing to look like fixed size.

The data washed 1 character long, the resulting hash would be 60 characters long.
If the data is 20 characters, the hash will be 60 characters long.
If the data is 2,000 characters long, the resulting hash will still be 60 characters long.

The hash function overrides the data, and it spreads / decreases the "secret code" of a certain length. The output of this type of hash function will be unique, and it will always give the same result. In other words, the hash of "cheese" is always the same. But the hash of "cheese" will be very different from the hash of "paneer" (finally low-case "e"). This is the continuation of output and very unique results which are the key here.

techsophia wrote:The output of this type of hash function will be unique [ ... ]

For most practical purposes, sure, but note that essentially, no, certainly not. Mathematically this is obvious: you used a 60 character hash as an example; let's say "a character" is an N-bit value, i.e., can hold 2^N values (8 and 256 for standard bytes). Your hash would then be a (60*N)-bit entity, can hence hold 2^(60*N) possible values. There are clearly more than 2^(60*N) possible passwords so at least two of them must generate the same hash.

The above is for any value of N, and certainly the same argument holds for any value other than 60 as well, which is to say that a fundamental property of hashes is in fact that they are not necessarily unique. This is also important: specific hash functions are to be judged on chances of generating the same hash from non-same data, including the distribution of hashes over all possible ones. When to be used in a cryptographic context, moreover including (practical) irreversibility, when to be used in an error-detection context including minor changes in data having major chance of changes in hash -- and so on.

Not sure this is necessary but I wanted to clarify some terminology because it bugs me. Passwords are hashed, as other posters have mentioned. Passwords are never encrypted, or rather should never be encrypted. The term "encrypted" gets misused but I understand why (universal term for obfuscation). Encryption is two-way because you need to be able to see what you encrypted at some point. Hashing is one way because you NEVER need to see what you have hashed, at least with passwords. No one ever needs to know a password in plain text form other than the user. If an application stores user passwords encrypted, there is a key to be able to decrypt all the passwords. Very bad.

My .02.

HP z800 2x6 core Xeon, 96 GB DDR3 5.5TB SSD, Evga 1050Ti 4GB, Mint 18.2 Cinnamon
"Give a man a truth and he will think for a day. Teach a man to reason and he will think for a lifetime"